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(SI/REL) High Level Goals

0 Detect (all!) botnet activity on our sensors

- Alert only when activity is relevant and time-sensitive

» Involves entities/commanding of high interest
» Involves protected areas
» Could initiate defensive action

- Generate metadata always
» Aids in attribution and retrospective analysis

- Enrich metadata as much as possible
» Alleviate the need for in-depth knowledge of actors or malware
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(SI/REL) Concept/Idea Behind It
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(SI/REL) What we offer today

0 An extensible botnet processing service
- Capabilities are added via configuration or specialized processors

0 The ability to track events spanning across 5-tuples

- Enables production of Event Summaries and Enrichment
9 Geographical dispersion

- SIGINT perspective, currently at SCS sites and MHS (prototype)
O TURMOIL augments Defensive Efforts two fold

- Early warning Tips for defensive action (to NETEZZA, then
TUTELAGE)

- Metadata for characterization and to support attribution (to
GMPLACE and RONIN, then CYBERCLOUD and MARINA).
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(SI/REL) Progress over the last year

0 Advancements

- Zeus RC4 encrypted processing flow
- Base64 decoding e.g. BEB v1.8 target IP extraction

- Limited Metadata Enrichment
» Case Study to support QBOT activities
- Deployment to F6 sites and a second system at MHS

- Established ASDF to GMPLACE for GHOSTMACHINE analytics
- Established flow to NETEZZA (TURQI) for validation

- Defined Botnet Lifecycle Model for categorizing enrichment
metadata
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(S/lREL) Current Development Focus

0 Attain analyst validation
- Ingest into GM and creating Views
- End-to-end dataflow validation

0 Improve Metadata Enrichment capabilities
- Define generic model to create metadata PCRE rules
- Refine Enrichment Model for Malware

O Improvements to function as a framework/service
- Greater focus on metadata enrichment

0 Provide dynamic AEG tasking

O Re-factor Tasking and Tips to fit botnets
- Update Tip format to closely align with extracted data
0 Add specialized packet processors

- Mariposa
- Looking for opportunities
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(SI/REL) Future Work

0 Initial development
- Initiate promotion (to XKS) or collection flows
- Re-factor SEG to make Metadata Enrichment more flexible

- Redesign the Analytic to provide more valuable Summaries
» Possibly detect point of origin of Herder commanding

0 Biggest Challenges

- Currently have no means to track peer-to-peer botnet activity

» May look to current TURMOIL Fast Flux capabilities for ideas
- Encrypted bots defeat most attempts at tracking and reporting

» Possible candidate for TU RMOIL Re-lnjection flow
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(TS/ISIIIREL) Current Implementation
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(TS/ISl/IREL) The Components

0 BotDiscoveryAeg
- Not A Snort based Application.
- Ingests translated Snort signatures and tasks the FSPF.
- Emulates Snort behavior as closely as possible.
0 RC4Aeg/RC4Seg
- Highly specialized components aimed at detecting RC4 Encrypted Zeus activity
0 MariposaAeg (Currently in development)
- Highly specialized — detects and decodes a particular encoding.
Q BotDiscoverySeg
- De-dups on SID/5 Tuple for Tipping and MARINA.
- De-dups on SID/IP/Port for BotAnalyticSeg.
O BotAnaIyticSeg
- Summarizes Event Metadata from BotDiscoverySeg.
- Provides metadata to RONIN.
O CIDR Block/SID Filter
- Filters Tip Events based on IP information OR SID.
O cbiot
- Translates Tip messages to adhere to TRAFFICTHIEF schemas.

 

SECRET/[REL TO USA, FVEY MISSION

(SI/REL) Current Dataflow
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(TS/ISIIIREL) Prototype View - POUNDSAND

PDUNDSAND Prototype Incubator
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(TS/lSIIIREL) HIDDENSALAMANDER Outputs
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Wm? What else can we tell today?

“\ﬁﬁQEl OLE of the IPs involved: Is it a Bot Controller? Bot Victim? Target?
elf; 1;. Who I e Target of this activity? (for certain botnets)
m- Who has th . Bot Controller been commanding (over time)?
HL n. I x POUNDSAND

What botnet milies are active in this region? How active?

 

 

What? I
What Will we tell tomorrow?

What “Attack” commands are active that we could use to exploit?

What type of botnet activity is seen in this region? For this bot family?
- (e.g. Increased “Infections” in US, or, most BadBot activity is “Reconnaisance”)

What actual [sen/er, filename, command, IP, url] did they send/grab/connect to?
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(SI/REL) Current Model for Metadata Enrichment
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(SI/REL) “Categorizing” Existing Signatures

  
 

9‘ Most popular bot signature analyst repositories:
- BLUESMOKE: Snort Rules
- XKEYSCORE: Fingerprints

 

o Requires author to add extra detail to the existing
signature

0 Requires front end tools to add extra fields to their
GUls for analyst input

- Suggested that the Lifecycle Stage Group and Stage
Instance be required for submission for botnet signatures

- Other attributes may be optional for submission
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(SI/REL) Bot Characterization Proposed =low
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Example

0 Command Found:

20;3000;10;0;0;30;300;20;20;2000;3000#ﬂ00d http !#1#XK3 28938090

0 How alert describes it:
IP SRC/DEST: 1.1.1.1 [2.2.2.2
PORT TO/FROM: 234/123
SlGAD/CASN:
SID: 12345
SIGNATURE NAME: BEB:B|ackEnergy_DDoS_X_of_Y
TIME: 00:00:00

0 How summary describes it today:

IP SRC 1.1.1.1 PORT: 123 ROLE: C2]
IP DEST a.a.a.a PORT: 23 BOT]
b.b.b.b ..

2.2.
8.6mm-

SID: 12345

  
 

SIGNATURE NAME: BEB:B|ackEnergy_DDoS_X_of_Y
TIME: 00:00:00 — 00:00:10

FAMILY: BEB
Total Events: 51 -
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Example

0 Command Found:

20;3000;10;0;0;30;300;20;20;2000;3000#f|00d http—E1#XK3 28938C90

Q How Summary describes it (tomorrow):

IP SRC 1.1.1.1 PORT: 123 [ROLE: 02]
IP DEST a.a.a.a PORT: 234 [ROLE: BOT]

b.b.b.b ..

z.z.z.z 

SIGAD/CASN:
SID: 12345
SIGNATURE NAME: BEB:BIackEnergy_DDoS_X_of_Y
FAMILY: BEB
TIME: 00:00:00 — 00:00:10

Total Events: 51
CONFIGU BOTID: xK3 28938090

;0;0;30;300;20;20;2000;3000#ﬂood http
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Example #2

0 Command Found:

JOIN :#marCh2#<crlf>:TESTlNG1.Virus.HERE 332 virus-squadlr #marCh2# :!NAZELmarCh2
http://_lpage/file.jpeg aFile.exe 1<crlf>

How alert describes it:
We don’t want alert! It’s insigniﬁcant for defensive activity!

0 How
IP 8
IP D

  
  

SIGN S Fingerprint-derived)
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Example

0 Command Found:
JOIN :#marCh2#<cr|f>:TESTING1.Virus.HERE 332 virus-squadlr #marCh2# :!NAZELmarCh2
http:/_/page/file.jpeg aFile.exe 1<crlf>
Q How Summary describes it (tomorrow):
IP SRC 1.1.1.1 PORT: 123 [ROLE: C2]
IP DEST a.a.a.a PORT: 234 [ROLE: BOT]
b.b.b.b ..
z.z.z.z 
SlGAD/CASN:
SID: unknown!!!
SIGNATURE NAME: botnet/quantumbot/possible_download1 (XKS Fingerprint-derived)
FAMILY: |RC_GEN
TIME: 00:00:00 — 00:00:10
Total Events: 3
CONFIGURATION / BOTID INICK
C&C COMMS/ CONNECT / CHA
C&C COMMS/ CONNECT / SER

  
 
  

 

